Analysis Overview
SHA256
db7dbe105a8dc66001471482676ff758da4022321a2371a28b638aafe60c0163
Threat Level: Known bad
The file abfb51c632365023e1367b1252d5cc23 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook
Xloader
Xloader Payload
Adds policy Run key to start application
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Drops file in Program Files directory
Modifies Internet Explorer settings
Gathers network information
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:44
Reported
2022-06-16 09:50
Platform
win7-20220414-en
Max time kernel
152s
Max time network
163s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YJSDLR18N = "C:\\Program Files (x86)\\Kdbwtpt\\gdiypx0.exe" | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 108 set thread context of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 1144 set thread context of 1228 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 964 set thread context of 1228 | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Kdbwtpt\gdiypx0.exe | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.kekenapeps.com | udp |
| US | 69.57.161.210:80 | www.kekenapeps.com | tcp |
| US | 8.8.8.8:53 | www.earntrading24.com | udp |
| US | 199.188.200.173:80 | www.earntrading24.com | tcp |
| US | 199.188.200.173:80 | www.earntrading24.com | tcp |
| US | 8.8.8.8:53 | www.rodfernandesmarketing.com | udp |
| US | 45.152.44.238:80 | www.rodfernandesmarketing.com | tcp |
| US | 45.152.44.238:80 | www.rodfernandesmarketing.com | tcp |
| US | 8.8.8.8:53 | www.masjidmuqarrabin.com | udp |
| US | 8.8.8.8:53 | www.masjidmuqarrabin.com | udp |
| US | 8.8.8.8:53 | www.thenftofficial.com | udp |
| DE | 217.160.0.161:80 | www.thenftofficial.com | tcp |
| DE | 217.160.0.161:80 | www.thenftofficial.com | tcp |
| US | 8.8.8.8:53 | www.theswanmarketing.com | udp |
| US | 8.8.8.8:53 | www.monicaconsulting.com | udp |
| US | 52.71.57.184:80 | www.monicaconsulting.com | tcp |
| US | 52.71.57.184:80 | www.monicaconsulting.com | tcp |
| US | 8.8.8.8:53 | www.thedentalmethoddallas.com | udp |
| US | 8.8.8.8:53 | www.tangkichco.com | udp |
| US | 38.26.245.41:80 | www.tangkichco.com | tcp |
| US | 38.26.245.41:80 | www.tangkichco.com | tcp |
| US | 8.8.8.8:53 | www.outlookrepairhelp.com | udp |
| HK | 45.153.129.57:80 | www.outlookrepairhelp.com | tcp |
| HK | 45.153.129.57:80 | www.outlookrepairhelp.com | tcp |
| US | 8.8.8.8:53 | www.aemsmc.com | udp |
Files
memory/108-54-0x0000000000F30000-0x0000000000F6C000-memory.dmp
memory/108-55-0x00000000003D0000-0x0000000000406000-memory.dmp
memory/1144-56-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1144-57-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1144-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1144-60-0x000000000041F370-mapping.dmp
memory/1144-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1144-63-0x00000000008F0000-0x0000000000BF3000-memory.dmp
memory/1144-64-0x0000000000200000-0x0000000000211000-memory.dmp
memory/1228-65-0x0000000004270000-0x000000000432B000-memory.dmp
memory/964-66-0x0000000000000000-mapping.dmp
memory/1984-67-0x0000000000000000-mapping.dmp
memory/964-68-0x0000000000F50000-0x0000000000F59000-memory.dmp
memory/964-69-0x00000000000C0000-0x00000000000EB000-memory.dmp
memory/964-70-0x0000000000C40000-0x0000000000F43000-memory.dmp
memory/964-71-0x0000000000AB0000-0x0000000000B40000-memory.dmp
memory/1228-72-0x0000000005C30000-0x0000000005CEA000-memory.dmp
memory/1228-73-0x0000000004270000-0x000000000432B000-memory.dmp
memory/964-74-0x0000000075A61000-0x0000000075A63000-memory.dmp
memory/1228-75-0x0000000005C30000-0x0000000005CEA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:44
Reported
2022-06-16 09:50
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
162s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\cmstp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CPXHR = "C:\\Program Files (x86)\\Lifm4\\igfxgxd0dxl.exe" | C:\Windows\SysWOW64\cmstp.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 3736 | N/A | C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 3736 set thread context of 2040 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 3960 set thread context of 2040 | N/A | C:\Windows\SysWOW64\cmstp.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Lifm4\igfxgxd0dxl.exe | C:\Windows\SysWOW64\cmstp.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\cmstp.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.179:80 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| US | 13.89.178.26:443 | tcp | |
| US | 8.8.8.8:53 | www.thedentalmethoddallas.com | udp |
| US | 8.8.8.8:53 | www.lifeonloan.com | udp |
| US | 8.8.8.8:53 | www.humblebullykennelsstore.com | udp |
| US | 8.8.8.8:53 | www.4v5z41.xyz | udp |
| US | 54.166.223.180:80 | www.4v5z41.xyz | tcp |
| US | 8.8.8.8:53 | www.kekenapeps.com | udp |
| US | 69.57.161.210:80 | www.kekenapeps.com | tcp |
Files
memory/1672-130-0x00000000005B0000-0x00000000005EC000-memory.dmp
memory/3736-131-0x0000000000000000-mapping.dmp
memory/3736-132-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3736-133-0x0000000001170000-0x00000000014BA000-memory.dmp
memory/3736-135-0x0000000001140000-0x0000000001151000-memory.dmp
memory/2040-136-0x00000000080B0000-0x00000000081BD000-memory.dmp
memory/3960-137-0x0000000000000000-mapping.dmp
memory/3736-138-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4804-139-0x0000000000000000-mapping.dmp
memory/3960-140-0x0000000000220000-0x0000000000236000-memory.dmp
memory/3960-141-0x0000000000E00000-0x0000000000E2B000-memory.dmp
memory/3960-142-0x0000000002DE0000-0x000000000312A000-memory.dmp
memory/3960-143-0x0000000002B80000-0x0000000002C10000-memory.dmp
memory/2040-144-0x00000000029C0000-0x0000000002A7D000-memory.dmp
memory/3960-145-0x0000000000E00000-0x0000000000E2B000-memory.dmp
memory/2040-146-0x00000000029C0000-0x0000000002A7D000-memory.dmp
memory/4008-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |